CanaryBit Tower

Orchestrate Trusted Execution Environments (TEE)

CanaryBit Tower is a Confidential Computing resources orchestration service. It helps end-users to deploy secure processing environments and provides control over configuration drifts.

It creates all the required infrastructure resources and one or more Trusted Execution Environments (TEEs, see Confidential Computing). Tower orchestrates TEEs either on the resources of a Cloud Service Provider of your choice, or On-Prem. It destroys all the resources once the execution is completed or compromised. Each trusted execution environment is single-use and immutable once created.

CanaryBit Tower consists of multiple Terraform / OpenTofu module configurations. A module is a collection of resources that CanaryBit Tower manages together.

What is a module?

To learn more about the module concepts and how to use it refer to the official Terraform or OpenTofu documentation.

Requirements

A CanaryBit Account;
Access to the target infrastructure provider;
Terraform or OpenTofu installed;
CLI access to your cloud platform (e.g Azure CLI, AWS CLI, etc...).

Download

Below a list of configuration for both Public Clouds and Bare-metal / Private setups supported by CanaryBit Tower.

Public Clouds

The below configurations are free to use under the Apache-2.0 licence.

Azure

Infrastructure as Code (IaC) configuration for Azure Confidential VMs

Terraform | OpenTofu
AWS

Infrastructure as Code (IaC) configuration for AWS Confidential VMs

Terraform | OpenTofu
GCP

Infrastructure as Code (IaC) configuration for in GCP Confidential VMs

Terraform | OpenTofu

Bare-metal / Private setups

A Premium License is required for the following configurations: Buy Premium

VMware

Infrastructure as Code (IaC) configuration for VMware Confidential VMs
Proxmox

Infrastructure as Code (IaC) configuration for Proxmox Confidential VMs
Openshift

Infrastructure as Code (IaC) configuration for Openshift Confidential VMs/Nodes
Libvirt/QEMU

Infrastructure as Code (IaC) configuration for Baremetal Confidential VMs

Deploy & Verify

Automatically deploy Confidential VMs (cVM) applying specific configuration for the selected target infrastructure as follows:

Credentials

Source your target infrastructure credentials (e.g. AWS)
aws.rc
```
export AWS_ACCESS_KEY_ID=***
export AWS_SECRET_ACCESS_KEY=***
export AWS_REGION=***
```
2. Source your CanaryBit credentials:
cb.rc
```
export CB_USERNAME=***
export CB_PASSWORD=***
```
Tip

The module expects your CanaryBit username (cb_username) and password (cb_password) as input.
To faciliate the use of sensitive information use:
```
export TF_VAR_cb_username=$(echo $CB_USERNAME)  
export TF_VAR_cb_password=$(echo $CB_PASSWORD)
```

Configure

Edit the CanaryBit Tower module configuration.

The below example shows the lines/code-blocks that can be customized according to the expected target environment.

... 

// ========================
//  Confidential VM (CVM)
// ========================

module "confidential-vm" {

    //  ************** DO NOT REMOVE THESE LINES ****************** // 

    source = "canarybit/tower/canarybit//modules/aws"       
    cb_username = var.cb_username
    cb_password = var.cb_password

    //  ************** CUSTOM CONFIG BELOW THIS LINE ************** // 

    // Confidential VM
    count = var.n_of_cvm
    cvm_name = "my-cvm-${count.index}"
    cvm_ssh_enabled = true
    cvm_ssh_pubkey = "~/.ssh/id_rsa.pub"
    cvm_size = "c6a.xlarge"

    // Remote Attestation
    remote_attestation = {
        cc_environments = "snp"
    }
}

...

For more information about the possible arguments, please refer to each module Inputs tab (e.g. AWS module: Inputs)

With Attestation (recommended)

To enable Remote Attestation, simply add the remote_attestation code-block in the module providing the required variables.

In this scenario, CanaryBit Tower will use a specific cloud-init file (attested.yml) ensuring the security characteristics of each Confidential VM are verified at booting time or at a custom cadence.

Never trust, always verify!

Environment verification with CanaryBit Inspector service is recommended to certify the security capabilities of the execution environments, mitigate risks and ensure privacy.

Without Attestation

To disable Remote Attestation, simply remove the remote_attestation code-block in the module.

In this scenario, CanaryBit Tower will use a specific cloud-init file (default.yml) at booting time.

You are at risk!

The security characteristics of this environment are NOT VERIFIED!
In this scenario, you are still trusting the hypervisor/infrastructure provider.

Apply

Apply the configuration with Terraform:

terraform init
terraform apply

or OpenTofu:

tofu init
tofu apply

During the deployment CanaryBit Tower:

authenticates towards your infrastructure provider;
authenticates towards CanaryBit;
creates the Confidential VMs and required virtual resources, e.g. networks, security groups, etc...;
injects the cloud-init(with or without Remote Attestation enabled) in each deployed Confidential VMs;
returns the details of the provisioned resources.

Collect the Attestation report

Login to the Inspector dashboard with your CanaryBit and download the full verification and audit report.